ModSecurity for Nginx ModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition...

In the last blog post, "Opps I pwned your router Part One", I talked about some of poor security that went into the basic embedded router operating systems. In this post I will flush out in more detail how one can go about reverse engineering these devices, what tools worked for me, and some of the results that I was able to get to. Hint: Having root on your hardware is good for me, bad for you.

Those familiar with password cracking know that KoreLogic's rule set for John the Ripper has become the de facto standard for password cracking.However, as with anything technology related, the rules are slightly starting to show their age, specifically with rules designed to take into account years. So, I decided to take on the task of making a few modifications to the rule set, this includes updating them to take into account the current and prior year, but also reworking some of the rules to eliminate some redundancy.

The ride on the roller coaster called the web security world never stops and keeps providing us, the security researches, with new challenges. Blackhole v2 that just came out last week and which was in headlines seems like a distant...

Regular Expressions for Input Validation If your web application defensive strategy against injection attacks relies solely upon the use of blacklist regular expression for input validation, it is only a matter of time before an attacker finds an evasion. Want...

A few days ago a new version of THE most common exploit kit was released. Unlike most exploit kit authors, who try to keep a low profile, the author of Blackhole publishes his work in Russian forums and even writes...

This has been a fairly common topic over the last year and I've seen plenty of blog posts and presentations about the subject. For me personally, many just don't cover the information I've found to be essential during my entrance...